SYSTEM AND METHOD FOR ACCESS MANAGEMENT AND SECURITY PROTECTION FOR NETWORK ACCESSIBLE COMPUTER SERVICES

US 20100251329A1
Filed: 03/24/2010
Published: 09/30/2010
Est. Priority Date: 03/31/2009
Status: Abandoned Application

First Claim

Patent Images

1. A method for providing access management and security protection to a computer service, comprising:

providing a computer service wherein said computer service is hosted at one or more servers and is accessible to clients via a first network;

providing a second network comprising a plurality of traffic processing nodes;

providing means for redirecting network traffic from said first network to said second network;

redirecting network traffic targeted to access said computer service via said first network to a traffic processing node of said second network via said means for redirecting network traffic;

inspecting and processing said redirected network traffic by said traffic processing node; and

routing only redirected network traffic that has been inspected, processed and approved by said traffic processing node to access said computer service via said second network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for providing access management and security protection to a computer service includes providing a computer service that is hosted at one or more servers and is accessible to clients via a first network, providing a second network that includes a plurality of traffic processing nodes and providing means for redirecting network traffic from the first network to the second network. Next, redirecting network traffic targeted to access the computer service via the first network to a traffic processing node of the second network via the means for redirecting network traffic. Next, inspecting and processing the redirected network traffic by the traffic processing node and then routing only redirected network traffic that has been inspected, processed and approved by the traffic processing node to access the computer service via the second network.

Citations

41 Claims

1. A method for providing access management and security protection to a computer service, comprising:
- providing a computer service wherein said computer service is hosted at one or more servers and is accessible to clients via a first network;
  
  providing a second network comprising a plurality of traffic processing nodes;
  
  providing means for redirecting network traffic from said first network to said second network;
  
  redirecting network traffic targeted to access said computer service via said first network to a traffic processing node of said second network via said means for redirecting network traffic;
  
  inspecting and processing said redirected network traffic by said traffic processing node; and
  
  routing only redirected network traffic that has been inspected, processed and approved by said traffic processing node to access said computer service via said second network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1 wherein said second network comprises an overlay network superimposed over said first network.
  - 3. The method of claim 1, wherein said processing of said redirected network traffic comprises applying network traffic management comprising at least one of client throttling, geographic throttling or rate throttling.
  - 4. The method of claim 1, wherein said inspecting comprises inspecting said redirected network traffic for presence of malware, spyware, virus, adult content, worm, denial of service attack, injection attack or information scanning attack.
  - 5. The method of claim 4, further comprising upon confirmation of the presence of malware, spyware, virus, adult content, worm, denial of service attack, injection attack or information scanning attack, preventing said redirected network traffic from accessing said computer service.
  - 6. The method of claim 1 wherein said second network further comprises access management means and security protection means, and wherein said traffic processing nodes are configured to provide access management and security protection to said computer service, respectively, via said access management means and security protection means.
  - 7. The method of claim 6 further comprising applying access rules via said access management means and applying security rules via said security protection means to said redirected network traffic in real time.
  - 8. The method of claim 7 wherein said access rules and said security rules comprise aggregates of access rules and security rules applied to a plurality of computer services.
  - 9. The method of claim 8 further comprising providing means for monitoring network traffic parameters comprising at least one of network traffic volume, bandwidth consumption information, link congestion level, link latency, request URL, usage or origin IP, and then monitoring network traffic via said traffic monitoring means.
  - 10. The method of claim 9 wherein said second network further comprises a data processing system comprising one or more databases storing network traffic data produced by said monitoring means and said aggregate access rules and security rules and wherein said method further comprises sharing said network traffic data and said aggregate access rules and security rules among said plurality of computer services.
  - 11. The method of claim 10 wherein said data processing system further comprises means for analyzing said network traffic data stored in said databases and wherein said method further comprises analyzing said stored data with said analyzing means to determine key network metrics required for decision making.
  - 12. The method of claim 1 further comprising directing responses from said computer service to said traffic processing node of said second network and inspecting and processing said responses by said traffic processing node before returning said responses to said clients.
  - 13. The method of claim 1, wherein said means for redirecting network traffic comprises one of means for setting DNS “
    - NS”
      
      record, means for setting DNS CNAME record, means for setting “
      
      A”
      
      record, means for hosting DNS records at a DNS system that resolves hostname of said computer service to traffic processing nodes, means for setting client side proxy configurations, or means for network address translation.
  - 14. The method of claim 1 wherein said second network comprises virtual machines nodes.
  - 15. The method of claim 1, wherein said second network scales its processing capacity and network capacity by dynamically adjusting the number of traffic processing nodes.
  - 16. The method of claim 1, wherein said computer service comprises one of a web application, web service or email service.
  - 17. The method of claim 1 further comprising providing an access control gateway, and wherein said access control gateway is configured to provide access control and security control to said computer service by allowing only network traffic from said traffic processing nodes of said second network to access said computer service.
  - 18. The method of claim 17 wherein said access control gateway comprises a router configured to allow only network traffic with a specific signature to pass through.
  - 19. The method of claim 18 wherein said specific signature comprises one of an IP address or token.
  - 20. The method of claim 17 wherein said access control gateway comprises a private communication channel between said computer service and said second network.

21. A system for providing access management and security protection to a computer service, comprising:
- a first network providing network connections between one or more servers and a plurality of clients;
  
  a computer service wherein said computer service is hosted at said one or more servers and is accessible to said clients via said first network;
  
  a second network comprising a plurality of traffic processing nodes;
  
  means for redirecting network traffic targeted to access said computer service via said first network to a traffic processing node of said second network;
  
  means for inspecting and means for processing said redirected network traffic by said traffic processing node; and
  
  means for routing only redirected network traffic that has been inspected, processed and approved by said traffic processing node to access said computer service via said second network.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 22. The system of claim 21 wherein said second network comprises an overlay network superimposed over said first network.
  - 23. The system of claim 21, wherein said processing means of said redirected network traffic comprises network traffic management means comprising at least one of client throttling means, geographic throttling means or rate throttling means.
  - 24. The system of claim 21, wherein said means for inspecting comprises means for inspecting said redirected network traffic for presence of malware, spyware, virus, adult content, worm, denial of service attack, injection attack or information scanning attack.
  - 25. The system of claim 24 further comprising means for preventing said redirected network traffic from accessing said computer service upon confirmation of the presence of malware, spyware, virus, adult content, worm, denial of service attack, injection attack or information scanning attack.
  - 26. The system of claim 21 wherein said second network further comprises access management means and security protection means, and wherein said access management means and security protection means are configured to provide access management and security protection to said computer service, respectively.
  - 27. The system of claim 26 wherein said access management means and security management means apply access rules and security rules, respectively, to said redirected network traffic in real time.
  - 28. The system of claim 27 wherein said access rules and said security rules comprise aggregates of access rules and security rules applied to a plurality of computer services.
  - 29. The system of claim 28 further comprising means for monitoring network traffic parameters comprising at least one of network traffic volume, bandwidth consumption information, link congestion level, link latency, request URL or origin IP.
  - 30. The system of claim 29 wherein said second network further comprises a data processing system comprising one or more databases storing network traffic data produced by said monitoring means and said aggregate access rules and security rules and wherein said stored network traffic data and said aggregate access rules and security rules are shared among said plurality of computer services.
  - 31. The system of claim 30 wherein said data processing system further comprises means for analyzing said network traffic data stored in said databases.
  - 32. The system of claim 21 further comprising means for directing responses from said computer service to said traffic processing node of said second network and means for inspecting and means for processing said responses by said one traffic processing node before returning said responses to said clients.
  - 33. The system of claim 21, wherein said means for redirecting network traffic comprises one of means for setting DNS “
    - NS”
      
      record, means for setting DNS CNAME record, means for setting “
      
      A”
      
      record, means for hosting DNS records at a DNS system that resolves hostname of said computer service to traffic processing nodes, means for setting client side proxy configurations, or means for network address translation.
  - 34. The system of claim 21 wherein said second network comprises virtual machines nodes.
  - 35. The system of claim 21, wherein said second network scales its processing capacity and network capacity by dynamically adjusting the number of traffic processing nodes.
  - 36. The system of claim 21, wherein said computer service comprises one of a web application, web service or email service.
  - 37. The system of claim 21 further comprising an access control gateway, and wherein said access control gateway is configured to provide access control and security control to said computer service by allowing only network traffic from said traffic processing nodes of said second network to access said computer service.
  - 38. The system of claim 37 wherein said access control gateway comprises a router configured to allow only network traffic with a specific signature to pass through.
  - 39. The system of claim 38 wherein said specific signature comprises one of an IP address or token.
  - 40. The system of claim 37 wherein said access control gateway comprises a private communication channel between said computer service and said second network.

41. A method for providing access management and security protection to a computer service, comprising:
- providing a computer service wherein said computer service is hosted at one or more servers and is accessible to clients via a first network;
  
  providing a second network comprising a plurality of traffic processing nodes, access management means and security protection means, and wherein said access management means and security protection means are configured to provide access management and security protection to said computer service, respectively;
  
  providing means for redirecting network traffic from said first network to said second network;
  
  redirecting network traffic targeted to access said computer service via said first network to a traffic processing node of said second network via said means for redirecting network traffic;
  
  inspecting and processing said redirected network traffic by said one traffic processing node;
  
  applying access rules via said access management means and applying security rules via said security protection means to said redirected network traffic in real time; and
  
  routing only redirected network traffic that has been approved by said access management means and security protection means to access said computer service via said second network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Yottaa, Inc.
Original Assignee
Yottaa, Inc.
Inventors
WEI, COACH

Application Number

US12/730,303
Publication Number

US 20100251329A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/1001   for accessing one among a p...

SYSTEM AND METHOD FOR ACCESS MANAGEMENT AND SECURITY PROTECTION FOR NETWORK ACCESSIBLE COMPUTER SERVICES

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR ACCESS MANAGEMENT AND SECURITY PROTECTION FOR NETWORK ACCESSIBLE COMPUTER SERVICES

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links